← Back to Blog
February 15, 2026by VersionOps Team8 min read

VersionOps 1.8.5 — Security Hub & Container Scanning

Introducing the unified Security Hub and container image scanning powered by Trivy. Scan Docker images, Terraform files, and Kubernetes manifests for vulnerabilities — all from one dashboard.

releasesecuritycontainerstrivy

Overview

Release 1.8.5 introduces the Security Hub — a unified security dashboard that brings together vulnerability scanning across your entire stack: container images, Infrastructure as Code, Kubernetes manifests, and application dependencies. Powered by Trivy, the industry-leading open-source vulnerability scanner.

Why a Security Hub?

As infrastructure grows, security data fragments across tools and dashboards. You might use one tool for npm CVEs, another for Docker image scanning, and yet another for Terraform misconfigurations. The Security Hub brings it all together:

  • One dashboard for all vulnerability types
  • Unified severity tracking across containers, IaC, and dependencies
  • Trend analysis to measure your security posture over time
  • Centralized alerting through your existing notification channels

Container Image Scanning

The headline feature: scan your Docker images for known vulnerabilities.

How It Works

  1. Go to Security > Container Images
  2. Click Add Image and enter an image reference (e.g., nginx:1.25, node:20-alpine)
  3. Click Scan — VersionOps sends the image to Trivy and presents the results

What Gets Scanned

Trivy analyzes every layer of your container image:

  • OS packages — apt, apk, yum packages with known CVEs
  • Language packages — npm, pip, gem, cargo dependencies embedded in the image
  • Binaries — standalone binaries with known vulnerabilities

Results

Each scan shows:

FieldDescription
Severity breakdownCritical, High, Medium, Low counts
CVE detailsCVE ID, affected package, installed version, fixed version
CVSS scoreNumeric severity rating
RemediationWhich version to upgrade to

Auto-Scanning

Enable auto-scan for any tracked image with a configurable interval (1–168 hours). VersionOps will automatically re-scan and alert you when new vulnerabilities are discovered.

This is especially useful for base images like node:20 or python:3.12 that receive frequent security patches.

Infrastructure as Code Scanning

Catch misconfigurations before they reach production.

Supported Formats

  • Terraform (.tf files)
  • CloudFormation (YAML/JSON templates)
  • Dockerfile — best practices and security issues
  • Kubernetes manifests — Deployments, Services, ConfigMaps
  • Helm charts — template analysis

What It Finds

IaC scanning detects issues like:

  • S3 buckets without encryption
  • Security groups with overly permissive rules
  • Containers running as root
  • Missing resource limits in Kubernetes pods
  • Hardcoded secrets in configuration files

Each finding includes the file path, line number, severity, and a specific resolution.

Kubernetes Security Analysis

For teams running Kubernetes, the K8s scanner checks your manifests against:

  • CIS Kubernetes Benchmarks — industry-standard security checks
  • Pod Security Standards — restricted, baseline, privileged
  • Network policy gaps — missing ingress/egress controls
  • RBAC issues — overly permissive roles and bindings

Secret Detection

All scan types include automatic secret detection. Trivy identifies:

  • AWS access keys and secrets
  • GitHub tokens
  • Private keys
  • Database connection strings
  • API keys and passwords

Detected secrets are masked in the UI (first 3 and last 3 characters shown) and categorized by type.

Security Notifications

Connect your existing notification channels to receive security alerts:

  • Slack — rich message with severity breakdown
  • Email — formatted HTML report
  • Telegram / Discord / MS Teams — instant alerts
  • PagerDuty — critical vulnerability escalation

Configure your severity threshold (e.g., only alert on Critical and High) and minimum finding count to reduce noise.

The Security Hub Dashboard

The overview dashboard aggregates data from all sources:

  • Total vulnerability count across all scan types
  • Severity distribution chart
  • Trend lines — are things getting better or worse?
  • Top vulnerabilities — most common CVEs across your infrastructure
  • Recent scans — quick access to latest results

Navigate between sections using the sidebar:

  • Overview — aggregated stats
  • Vulnerabilities — unified CVE list from all sources
  • Containers — Docker image scanning
  • Infrastructure — IaC and K8s scanning
  • Dependencies — npm/package CVEs (from Projects)

Getting Started

Step 1: Navigate to Security

Click Security in the main navigation bar.

Step 2: Add Container Images

Go to the Containers section, click Add Image, and enter your image references. Start with your most critical production images.

Step 3: Run Your First Scan

Click the scan button on any image. Results typically appear within 30–60 seconds depending on image size.

Step 4: Set Up Auto-Scan

Enable auto-scanning with a 24-hour interval for continuous monitoring.

Step 5: Configure Alerts

Go to the notification settings in the Security section and connect your preferred channels. Set severity thresholds to control alert volume.

What's Next

We're working on:

  • Private registry support — scan images from AWS ECR, GitLab, and other private registries (coming in 1.9.0)
  • Compliance reports — exportable PDF/CSV reports for audit requirements
  • Remediation tracking — mark vulnerabilities as acknowledged or resolved
  • CI/CD integration — trigger scans from your deployment pipeline

Links

Ready to try VersionOps?

Start tracking software versions across your infrastructure today.

Start Free Trial

Related Articles